6 Replies Latest reply on May 15, 2013 9:22 PM by Rajiv Dewan

    OIM 11.1.2 - All users visible in search results... for all users!

    Presto
      Hello.

      I'm seeing some strange behavior out of the box. If I create some non-admin end user, I can login to the identity console (:14000/oim), click the Users link, click search, and see ALL USERS in the search results. I can make changes and they will be submitted to the default approver (xelsysadm). Can that be right? Ideally we'd like to limit users so they can't see all users! Also org admins could only see users in that org which they administer.

      Thanks
        • 1. Re: OIM 11.1.2 - All users visible in search results... for all users!
          BikashBagaria
          I haven't worked on R2 but I guess you need to set the appropriate OES permissions for the same:

          http://docs.oracle.com/cd/E37115_01/dev.1112/e27150/securityarch.htm

          -Bikash
          • 2. Re: OIM 11.1.2 - All users visible in search results... for all users!
            Karthik Perath
            Presto wrote:
            Hello.

            I'm seeing some strange behavior out of the box. If I create some non-admin end user, I can login to the identity console (:14000/oim), click the Users link, click search, and see ALL USERS in the search results. I can make changes and they will be submitted to the default approver (xelsysadm). Can that be right? Ideally we'd like to limit users so they can't see all users!
            By default you will be able to see all users who belong to logged-in user organization. But if you dont want end users to do users search, you can hide the Users link by using EL's.

            http://docs.oracle.com/cd/E27559_01/dev.1112/e27150/uicust.htm#BABHBFGH
            Also org admins could only see users in that org which they administer.

            Thanks
            You can give admin role to the user for the particular organization he should manage. This way when the user with admin role click search user, he will see all users under the organization he is admin of.
            • 3. Re: OIM 11.1.2 - All users visible in search results... for all users!
              Presto
              Thanks for the feedback.

              I know how the documentation says it should work, but even when I made User A an administrator of Organization A, I could still login and see ALL users. Any normal end user I created without any admin roles could also see all users.
              • 4. Re: OIM 11.1.2 - All users visible in search results... for all users!
                user9212679
                Hi,

                Below are the steps to disable the User link for the normal user :

                1. Log in as As Admin user to the Self Service page
                2. Create a new sandbox and Activate.
                3. Click Customize.
                4. Click on View and select Source which will open new frame.
                5. Click on Administration Tab in left pane.
                6. This will cause Pop up to verify Edit., click Edit
                7. Click on the Administration Tab again.
                8. In the Source pane, then showDetailHeader: Administration should be highlighted.
                9. Click Edit icon
                10. New pop up.
                11. Scroll to bottom of Display Options tab.
                12. Click on down arrow to right of Show Component.
                13. Click on Expression Builder
                14. Replace "true" with the #{oimcontext.currentUser.roles['SYSTEM ADMINISTRATORS'] != null}
                15. Click on Test to confirm that for Admin user this returns TRUE
                16. Click OK
                17. Click Apply and then OK
                18. Click Close in the Source pane
                19. publish the sandbox.

                Now Login as a general user to the Self Service page. You should not see the Admin Tab.

                HTH
                • 5. Re: OIM 11.1.2 - All users visible in search results... for all users!
                  Presto
                  I know I can disable the link, I appreciate the feedback.

                  However, that's not my question. Why would they provide users the ability to view all user details out of the box? Wouldn't it be a better solution to deploy a custom OES policy? Why doesn't an Org Admin only see users just for their organization?

                  Thanks.
                  • 6. Re: OIM 11.1.2 - All users visible in search results... for all users!
                    Rajiv Dewan
                    I didn't see the others posts.


                    But in OIM R2, everything is based on container (organization). If you are creating all the users in the same Organization then they would be able to search users from that Organization.

                    We have 10 users who are part of same Organization say Org A then everyone would be able to search other 9 members of that Organization.
                    Why doesn't an Org Admin only see users just for their organization?
                    Create Organization Policy or set permissions at Org Level (Tree Like Structure for managing Organizations) for your Enterprise.